
package com.mocha.auth.endpoint;

import cn.hutool.core.util.StrUtil;
import com.coffee.core.CoffeeResponse;
import com.coffee.core.CoffeeResponseEnum;
import com.coffee.security.SecurityConstants;
import com.mocha.auth.component.CoffeeRegisteredClientDetails;
import com.mocha.auth.handler.CoffeeAuthenticationFailureHandler;
import com.mocha.auth.handler.CoffeeRegisteredClientDetailsLoadHandler;
import com.mocha.auth.util.OAuth2EndpointUtils;
import com.mocha.auth.util.OAuth2ErrorCodesExpand;
import com.mocha.auth.util.SpringContextHolder;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.springframework.cache.CacheManager;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.security.authentication.event.LogoutSuccessEvent;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.servlet.ModelAndView;

import java.security.Principal;
import java.util.Map;
import java.util.Set;

/**
 * @author songkui
 * @since 2025-4-17
 */
@Slf4j
@RestController
@RequestMapping
@RequiredArgsConstructor
public class CoffeeTokenEndpoint {

	private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter = new OAuth2AccessTokenResponseHttpMessageConverter();

	private final AuthenticationFailureHandler authenticationFailureHandler = new CoffeeAuthenticationFailureHandler();

	private final OAuth2AuthorizationService authorizationService;

	private final CoffeeRegisteredClientDetailsLoadHandler coffeeRegisteredClientDetailsLoadHandler;

	private final RedisTemplate<String, Object> redisTemplate;

	private final CacheManager cacheManager;

	/**
	 * 授权码模式：认证页面
	 * @param modelAndView
	 * @param error 表单登录失败处理回调的错误信息
	 * @return ModelAndView
	 */
	@GetMapping("/token/login")
	public ModelAndView require(ModelAndView modelAndView, @RequestParam(required = false) String error) {
		modelAndView.setViewName("ftl/login");
		modelAndView.addObject("error", error);
		return modelAndView;
	}

	/**
	 * 授权码模式：确认页面
	 * @return {@link ModelAndView }
	 */
	@GetMapping("/oauth2/confirm_access")
	public ModelAndView confirm(Principal principal, ModelAndView modelAndView,
			@RequestParam(OAuth2ParameterNames.CLIENT_ID) String clientId,
			@RequestParam(OAuth2ParameterNames.SCOPE) String scope,
			@RequestParam(OAuth2ParameterNames.STATE) String state) {
		CoffeeRegisteredClientDetails clientDetails = coffeeRegisteredClientDetailsLoadHandler.handle(clientId);
//		SysOauthClientDetails clientDetails = RetOps.of(clientDetailsService.getClientDetailsById(clientId))
//			.getData()
//			.orElseThrow(() -> new OAuthClientException("clientId 不合法"));

		Set<String> authorizedScopes = StringUtils.commaDelimitedListToSet(clientDetails.getScope());
		modelAndView.addObject("clientId", clientId);
		modelAndView.addObject("state", state);
		modelAndView.addObject("scopeList", authorizedScopes);
		modelAndView.addObject("principalName", principal.getName());
		modelAndView.setViewName("ftl/confirm");
		return modelAndView;
	}

	/**
	 * 注销并删除令牌
	 * @param authHeader auth 标头
	 * @return {@link CoffeeResponse }<{@link Boolean }>
	 */
	@DeleteMapping("/token/logout")
	public CoffeeResponse<Boolean> logout(@RequestHeader(value = HttpHeaders.AUTHORIZATION, required = false) String authHeader) {
		if (StrUtil.isBlank(authHeader)) {
			return CoffeeResponse.response(CoffeeResponseEnum.Success);
		}

		String tokenValue = authHeader.replace(OAuth2AccessToken.TokenType.BEARER.getValue(), StrUtil.EMPTY).trim();
		return removeToken(tokenValue);
	}

	/**
	 * 检查令牌
	 * @param token 令 牌
	 * @param response 响应
	 * @param request 请求
	 */
	@SneakyThrows
	@GetMapping("/token/check_token")
	public void checkToken(String token, HttpServletResponse response, HttpServletRequest request) {
		ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);

		if (StrUtil.isBlank(token)) {
			httpResponse.setStatusCode(HttpStatus.UNAUTHORIZED);
			this.authenticationFailureHandler.onAuthenticationFailure(request, response,
					new InvalidBearerTokenException(OAuth2ErrorCodesExpand.TOKEN_MISSING));
			return;
		}
		OAuth2Authorization authorization = authorizationService.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);

		// 如果令牌不存在 返回401
		if (authorization == null || authorization.getAccessToken() == null) {
			this.authenticationFailureHandler.onAuthenticationFailure(request, response,
					new InvalidBearerTokenException(OAuth2ErrorCodesExpand.INVALID_BEARER_TOKEN));
			return;
		}

		Map<String, Object> claims = authorization.getAccessToken().getClaims();
		OAuth2AccessTokenResponse sendAccessTokenResponse = OAuth2EndpointUtils.sendAccessTokenResponse(authorization,
				claims);
		this.accessTokenHttpResponseConverter.write(sendAccessTokenResponse, MediaType.APPLICATION_JSON, httpResponse);
	}

	/**
	 * 删除令牌
	 * @param token 令 牌
	 * @return {@link CoffeeResponse }<{@link Boolean }>
	 */
	@DeleteMapping("/token/remove/{token}")
	public CoffeeResponse<Boolean> removeToken(@PathVariable("token") String token) {
		OAuth2Authorization authorization = authorizationService.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);
		if (authorization == null) {
			return CoffeeResponse.response(CoffeeResponseEnum.Success);
		}

		OAuth2Authorization.Token<OAuth2AccessToken> accessToken = authorization.getAccessToken();
		if (accessToken == null || StrUtil.isBlank(accessToken.getToken().getTokenValue())) {
			return CoffeeResponse.response(CoffeeResponseEnum.Success);
		}
		// 清空用户信息（立即删除）
		cacheManager.getCache(SecurityConstants.USER_DETAILS).evictIfPresent(authorization.getPrincipalName());
		// 清空access token
		authorizationService.remove(authorization);
		// 处理自定义退出事件，保存相关日志
		SpringContextHolder.publishEvent(new LogoutSuccessEvent(new PreAuthenticatedAuthenticationToken(
				authorization.getPrincipalName(), authorization.getRegisteredClientId())));
		return CoffeeResponse.response(CoffeeResponseEnum.Success);
	}

//	/**
//	 * 令牌列表
//	 * @param params 参数
//	 * @return {@link R }<{@link Page }>
//	 */
//	@PostMapping("/token/page")
//	public CoffeeResponse<Page> tokenList(@RequestBody Map<String, Object> params) {
//		// 根据分页参数获取对应数据
//		String key = String.format("%s::*", CacheConstants.PROJECT_OAUTH_ACCESS);
//		int current = MapUtil.getInt(params, CommonConstants.CURRENT);
//		int size = MapUtil.getInt(params, CommonConstants.SIZE);
//		Set<String> keys = redisTemplate.keys(key);
//		List<String> pages = keys.stream().skip((current - 1) * size).limit(size).collect(Collectors.toList());
//		Page result = new Page(current, size);
//
//		List<TokenVo> tokenVoList = redisTemplate.opsForValue().multiGet(pages).stream().map(obj -> {
//			OAuth2Authorization authorization = (OAuth2Authorization) obj;
//			TokenVo tokenVo = new TokenVo();
//			tokenVo.setClientId(authorization.getRegisteredClientId());
//			tokenVo.setId(authorization.getId());
//			tokenVo.setUsername(authorization.getPrincipalName());
//			OAuth2Authorization.Token<OAuth2AccessToken> accessToken = authorization.getAccessToken();
//			tokenVo.setAccessToken(accessToken.getToken().getTokenValue());
//
//			String expiresAt = TemporalAccessorUtil.format(accessToken.getToken().getExpiresAt(),
//					DatePattern.NORM_DATETIME_PATTERN);
//			tokenVo.setExpiresAt(expiresAt);
//
//			String issuedAt = TemporalAccessorUtil.format(accessToken.getToken().getIssuedAt(),
//					DatePattern.NORM_DATETIME_PATTERN);
//			tokenVo.setIssuedAt(issuedAt);
//			return tokenVo;
//		}).collect(Collectors.toList());
//		result.setRecords(tokenVoList);
//		result.setTotal(keys.size());
//		return R.ok(result);
//	}

}
